Executive Summary

CVE-2026-5007 is a command injection vulnerability in the mcp-docs-rag project, specifically in the add_git_repository and add_text_file tools. The issue arises because these tools use Node.js's child_process.exec function unsafely by directly embedding user-controlled inputs such as repository_url, subdirectory, and file_url into shell commands without validation or sanitization.

Since exec runs commands through a system shell, malicious inputs containing shell metacharacters (like ;, &, |) can be interpreted as additional commands, allowing an attacker to execute arbitrary commands on the host system with the privileges of the MCP server process.

The vulnerability requires local access to perform the attack, and a proof-of-concept exploit is publicly available. The vulnerable code is located in src/index.ts at specific lines where user inputs are concatenated into shell commands.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with local access to execute arbitrary operating system commands on the MCP server host. The impact depends on the privileges of the MCP server process but can include unauthorized data access, modification of system files, and potential privilege escalation.

Successful exploitation could lead to full system compromise, data breaches, or disruption of services provided by the MCP server.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection flaw in the add_git_repository or add_text_file tools of the mcp-docs-rag server. Specifically, you can test if user-controlled inputs such as repository_url or file_url are unsafely passed to shell commands.

A practical detection method involves using the MCP Inspector tool to connect to the running MCP server and inputting a malicious parameter containing shell metacharacters to see if arbitrary commands are executed.

For example, a command injection test could be performed by providing a repository_url like: https://github.com/kazuph/mcp-docs-rag&whoami > poc.txt

If the server executes the injected command, it will create a file named poc.txt containing the output of the whoami command, confirming the vulnerability.

No specific network commands are provided, but monitoring for unexpected shell command executions or suspicious file creations (like poc.txt) on the host system can also indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include replacing the use of Node.js's child_process.exec function with execFile or execFileSync, which execute commands without invoking a shell and accept arguments as an array, preventing shell interpretation of user inputs.

Additionally, implement strict input validation and sanitization on all user-supplied parameters exposed to MCP clients, especially repository_url, subdirectory, and file_url, to prevent injection of shell metacharacters.

Employ parameter separation and proper escaping techniques to ensure that user inputs cannot be interpreted as additional shell commands.

Since the vulnerability requires local access to exploit, restrict local user permissions and monitor for suspicious activities related to the MCP server process.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute arbitrary commands on the MCP server host, potentially leading to unauthorized data access and system modification.

Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0